x11/xfce ssh-agent once per logon for minimal (no gnome/kde) installation

Steve Franks bahamasfranks at gmail.com
Fri Jun 4 17:07:58 UTC 2010

On Fri, Jun 4, 2010 at 9:07 AM, Steve Franks <bahamasfranks at gmail.com> wrote:
> On Thu, Jun 3, 2010 at 11:56 PM, Matthew Seaman
> <m.seaman at infracaninophile.co.uk> wrote:
>> Hash: SHA1
>> On 04/06/2010 24:39:46, Steve Franks wrote:
>>> I'm totally lost.  What I desire is to put in my passphrase for my
>>> public key(s) when I logon to my box.  Since I usually install from
>>> ports and use xfce, I have no infrastructure for this, and I'm getting
>>> nowhere fast.  My Fedora box popped up a nice little "enter
>>> passphrase" box the very first time I ssh'd to my server, and now it
>>> 'just works'.  My FreeBSD boxes (which are many - everything *but* the
>>> laptop with Fedora), 'just don't work'.  I've installed everything
>>> with 'ssh'  and either 'key' or 'agent' in the name from
>>> ports/security, and gone through the manpages, and tweaked countless
>>> environment variables, but every time I ssh on a FreeBSD box, it
>>> stubbornly locates the terminal I started any gui's from (i.e. meld +
>>> bzr), and asks for the passphrase a great many times daily.  Add that
>>> I've started my gui with meld& (so as to continue using said terminal
>>> - don't love 'panels', 'choosers', 'menus', etc - guis are for word
>>> processors and file managers, not desktops), I can't even type in the
>>> passphrase there.  I  generally like using FreeBSD caveman style, but
>>> this is starting to drive me nuts.  No meld/bzr==no work from home==no
>>> happiness ;)
>>> Anyone have a 'standard' / FreeBSD-friendly best-practices for this?
>>> I think I'm just cluttering up my system here.
>> The problem you have is that you need to start ssh-agent(1) somewhere
>> very early in your login process, so that your entire desktop
>> environment can inherit all the necessary ssh-agent settings.
>> Exactly what to do depends on how you get into X11.  If you run
>> startx(1) manually when you want to switch from console to X11 then you
>> need to edit your ~/.xinitrc
>> Alternatively, if you use a display manager like xdm(1) -- ie. there's
>> an X based graphical login -- then you have two choices: edit your
>> ~/.xsession or tweak the pam configuration for your login manager.
>> If you want to go the 'edit .xinitrc or .xsession' route then you need
>> to do basically the same thing for either of those two files.  They're
>> pretty much just scripts that start up the initial X applications for
>> your login session: practically speaking, that means starting up your
>> window manager.  It's possible you don't have either of those files
>> explicitly in your account: in either case the system will run a
>> standard default script if it can't find a user specific version.
>> The .xinitrc or .xsession file should look something like this:
>> #!/bin/sh
>> # Import user environment settings
>> . ${HOME}/.profile
>> eval $( ssh-agent -s )
>> # Eg. pop up an xterm so you can enter your ssh passphrase
>> xterm -geometry 80x24-91+0 -e /usr/bin/ssh-add -c ${HOME}/.ssh/id_rsa &
>> # Note: no '&' -- this should run in the foreground
>> xfce
>> eval $( ssh-agent -k )
>> #
>> # That's All Folks!
>> #
>> This is just a rough outline, which you should adapt to your own needs
>> - -- in particular there are nicer apps you can use for entering a
>> passphrase.  Also note that you can probably omit that bit from the
>> .xinitrc or .xsession and have your window manager run it.  In any case,
>> the important bits are the two 'eval' lines bracketing the
>> window-manager startup.
>> The other possibility -- which is only available if you are using a
>> display manager like xdm(1) -- is tweaking the pam settings.  For xdm,
>> edit the file /etc/pam.d/xdm and uncomment the two lines mentioning
>> pam_ssh.  Now you will be able to log into your system via xdm using
>> your ssh passphrase, and xdm will start up ssh-agent for your session
>> and add your key to it.  Different display managers will have their own
>> pam.d files (either in /etc/pam.d or in /usr/local/etc/pam.d) but you
>> should be able to make equivalent changes there -- either uncomment or
>> add pam_ssh lines in the auth or session sections.
>>        Cheers,
>>        Matthew
>> - --
>> Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
>>                                                  Flat 3
>> PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
>> JID: matthew at infracaninophile.co.uk               Kent, CT11 9PW
>> Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>> iEYEARECAAYFAkwIo58ACgkQ8Mjk52CukIxm/ACgjwPTgJjq8YjN/e1uwD9be2xj
>> vBcAoIQ8aP+1pyV/050ooHCr9yUFjuXh
>> =S7kV
>> -----END PGP SIGNATURE-----
> Ah, sometimes you're just a command away!  I'm surprised I couldn't
> google this (too many ssh examples, all the x11+agent ones must be
> hidden).
> So for posterity, this is the relevant portion of .xinitrc file:
> ...
> export SSH_ASKPASS=/usr/local/bin/x11-ssh-askpass ;export SSH_ASKPASS
> eval $( ssh-agent -s )
> ssh-add &
> xfce4-session
> eval $( ssh-agent -k )
> ....
> I was using "exec xfce4-session" as in most of the examples for
> .xinitrc files, which seemed to be mucking things up - ditching the
> exec was one of the key steps on my system.
> Now, when I login, xfce starts normally, and concurrently, a nice
> little window pops up asking for my passphrase for my keys!  Now I can
> ssh (and bzr) with impunity.
> Thanks!
> Steve

Oh, and if anyone needs a servicable reference to generating &
installing keys, I found this one handy:



More information about the freebsd-questions mailing list